PCI DSS Compliance Checklist

Credit card fraud is a serious problem, but it’s an avoidable one. If your company accepts payments by credit card, you’re responsible for complying with the Payment Card Industry Data Security Standard, or PCI DSS—an unwieldy acronym, to be sure, but a simple set of 12 steps that will make your life easier. More importantly, PCI DSS compliance will inspire confidence in your clients when they entrust you with their most sensitive information.

We’ve put together a PCI DSS compliance checklist that lays out the 12 requirements you should make sure your company heeds. Keep in mind that each payment card brand has its own method for validating and enforcing the standards, so check with the brands you work with to make sure you’re fulfilling their requirements.

Now that most business is done online, little information needs to be kept in hard copy, making it easier for malicious actors to intercept appealing content residing in your network. A firewall restricts inbound and outbound traffic from untrusted networks and can specifically deflect all traffic that isn’t appropriate for the cardholder data environment.

In our minds, though, a firewall is becoming increasingly irrelevant, especially if you’re using the cloud. There’s little point in building the network firewall higher and higher if your data doesn’t even reside there anymore, and instead is stored on a cloud-based server. In that case, encryption is your friend.

PCI DSS Compliance Checklist 2: Don’t use vendor-supplied defaults for system passwords and other security parameters.

Rather appallingly, the most common password still used by businesses is “password.” Guessing passwords is the easiest way for a hacker to access a protected network, and leaving default passwords unchanged is like giving a hacker a key to your house. What’s more, recycling passwords across various services can also leave you vulnerable to attacks. Hackers can exploit the weakest security system to procure passwords, and apply them across other services to access a veritable trove of data. Changing a password takes mere seconds and is perhaps the easiest way to keep hackers at bay. Don’t hesitate to do it!

PCI DSS Compliance Checklist 3: Protect stored cardholder data.

Handling cardholders’ names and their credit card numbers, expiration dates, CVV codes, PINs, and information is par for the course in business transactions. But you shouldn’t store the data unless it’s necessary for the needs of your business, and even then don’t store it longer than you need to. Make sure you’ve established—and shared with your employees—a clear data retention policy that outlines how long cardholder information needs to be kept for business, legal, or regulatory reasons. Authentication information like tracking data garnered from the magnetic stripe, CVV numbers, and PINs cannot be stored at all.

Cybercriminals lurk on open, public networks, and if you’re transmitting cardholder data this way, it’s imperative to protect it. Encrypted files will be unreadable even if they’re intercepted. This is where Sookasa can help you too: By encrypting files before they reach the cloud, Sookasa makes it remarkably simple and safe to store cardholder information on Dropbox, affording more security than any standard means of encryption.

Deploying antivirus software regularly will thwart threats from malicious software (malware), which can enter the network undetected through an authorized user’s email or other online activities. That’s where you should also educate your employees. Malware is becoming increasingly sophisticated , and can slip in unnoticed by masquerading as a trusted email sender.

You should regularly check for vulnerabilities in all of your systems and ameliorate them with vendor-supplied security patches. These perform a quick repair, and keeping your patches up to date will prevent exploitation of any detected vulnerabilities.

Make sure that sensitive data can only be accessed by those employees whose job requires that particular data. Take advantage of tools, such as those supplied by Sookasa, that allow you to update permissions in real-time and revoke access to files for users or devices as necessary.

Providing each of your employees with a distinct ID ensures that interactions with sensitive data are only undertaken by—and can be traced to—authorized users. In other words, no group, shared, or generic IDs should be acceptable. A password, pass card, or biometric should also be used to authenticate users, and any remote users ought to be subject to two-factor authentication.

Businesses are required to physically secure or restrict access to printouts of cardholder data (including receipts), media where it is stored, and devices used for storing or accessing data. Cybercrime is certainly a menace, but you should always remember that old-fashioned physical theft is still a possibility that can derail your company if not properly preempted.

Logging mechanisms help track activity across your systems and networks; check periodically for vulnerabilities here because in the event of a breach, you’ll need to know what went wrong. Sookasa lets you view which files have been accessed most recently and by whom, and team administrators can request such audits for all their employees’ files. If you do audits periodically, you can snuff out suspicious activity early.

New vulnerabilities are constantly being discovered by hackers and researchers and introduced by new software. Testing system components, processes, and custom software should become a part of your routine, and make sure to run an extra check if you’re changing something about the way you work.

A strong security policy sets the tone for your company’s security, and it informs employees of their expected duties. Make sure your staff understands the importance of keeping cardholder data secure, and make sure you have an incident response plan so as to act immediately in the event of a breach.

If you’ve got the steps on this PCI DSS compliance checklist covered, your customers can probably breathe easy. But remember that remaining compliant takes more than a one-time check; it’s something that must be consistently monitored. For more information on the steps outlined in this checklist, take a look at the PCI DSS Quick Reference Guide.